Dissertation Research Description: The Potential of SBOMs to Increase Software Supply Chain Security

Software supply chain security is an essential area of cybersecurity, as shown by attacks such as the XZ Utils incident in 2024.Software Bills of Materials (SBOMs) were introduced to keep track of the supply chain of a software artifact.They have been brought to widespread attention in 2021 through US Executive Order 14028.The EU will make SBOMs mandatory by 2027 with their Cyber Resilience Act from 2024.In contrast to these demands for SBOMs through legislation, practitioners struggle to make real use of them.Multiple recent studies have concluded that adoption of SBOMs and their integration into security processes are facing various challenges.At the same time, accuracy and correctness problems of SBOMs generated by wide-spread tools have been shown.Based on this situation, the dissertation research is dedicated to the research question:What benefit do SBOMs provide and what further benefit can they potentially provide for supply chain security?In order to answer, this research description introduces four intended contributions:(1) First, all knowledge about the history of SBOMs and related concepts in Computer Science is systematized.(2) Second, an SBOM usage model that provides an abstract view on the software supply chain as well as actors involved in it is developed.The goal of the model is to give a theoretical foundation for making practical use of SBOMs.(3) Third, with BOM2VULN an analysis of current tools that map vulnerabilities to SBOMs is conducted, potentially including the introduction of a new tool for this task.The goal is to provide security engineers with a means of quickly finding vulnerabilities and assessing their relevance.(4) Lastly, the SBOM Nutri Score is proposed including an evaluation.The score helps practitioners to evaluate the software supply chain risk of third party code they use or intend to use.